Telstra CISO responds to customer data privacy concerns

Telstra CISO Mike Burgess says the telco has taken steps to tighten up security controls following three data breach investigations launched by Australian Privacy Commissioner Timothy Pilgrim since 2010.

The latest investigation occurred following an incident in May 2013 when it emerged that 15,775 phone numbers, names and home addresses contained in spreadsheets were found online via a Google search.

Pilgrim concluded that Telstra had breached three National Privacy Principles (NPPs).

NPP 4.1 – failure to take reasonable steps to ensure the security of the personal information it held

NPP 4.2 – failure to take reasonable steps to destroy or permanently de-identify the personal information it held

NPP 2.1 — disclosure of personal information other than for a permitted purpose.

The first investigation by Pilgrim took place on 28 October 2010 when Telstra told the OAIC that a mailing list error had resulted in approximately 220,000 letters with incorrect addresses being mailed out.

Telstra disclosed that this error may have caused the personal information, including names and telephone details, of some of its customers to be improperly disclosed.

Following his investigation into the matter, Pilgrim concluded that Telstra had breached National Privacy Principle (NPP) 2 by disclosing the personal information of some of its customers to unauthorised third parties.

On 12 December 2011, Pilgrim was on the case again after Telstra’s customer service website was openly accessible on the Internet.

He added that Telstra CEO David Thodey has “made it very clear” in an email to staff that they need to look after customer data.

For example, his team of 240 information security staff are constantly scanning the telco’s networks and infrastructure for attacks.

“We have a program of scanning new products and websites when they are put online. These products and websites are subject to mandatory security testing and when we make changes to our systems or networks, we apply mandatory checking to those systems.

“Security is an ongoing process; we can’t sit back and relax. For me, customer privacy is our number one priority.”

“We saw people scanning us, looking for that [OpenSSL] vulnerability, but we were able to shut them down.”

According to Burgess, all of the OpenSSL products that were connected to the Internet, and could be exploited externally, have been fixed.

“We have a small number of issues internally but there is no risk from someone outside of Telstra exploiting those,” he said. “The reason for that slight delay internally is we keep our networks up and running. There is change process involved to make sure we don’t impact customer services.”

Like most CISOs, Burgess has to present cyber security issues to his board. And while Telstra executives are “tech savvy”, Burgess said he takes the time to explain the issues in “normal language” including what the cyber security issue is, and what can be done about it.

“Through our risk audit committee, there are regular meetings every three months and they are hearing about the information security risks that we have identified.

“It’s our customer’s data we are looking to protect, along with our company’s sensitive information.”

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.